Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.

There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

Holy moley.. the FX TV channel in the UK certainly runs some intersting shows (Dexter, Breaking Bad, Better Off Ted). This latest one coming in the Autumn is about.. zombies! Yeah, it looks a bit like a 28 Days Later / Mad Max mashup, but it has Egg from This Life in at and Gale Anne Hurd is ivolved.

Check out the trailer (possibly works in the UK only) or read more here. More information about the show and the graphic novel can be found here.

Oh yes, in the US it's showing on AMC which has a decent photo gallery and other stuff here.

Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.

There's a more detailed file with MyWOT ratings and IP addresses to download here.

Tuesday, 24 August 2010

This is a fraudulent job offer originating from an IP address in Vietnam, with a ridiculous salary for doing next to nothing:

Hello message

We are in a hurry to offer you position in the building Company.
In few words our Company provides huge circle of building services like
building, landscaping, interior and exterior design of premises, houses etc.

We offer you:
- career growth
- flexible working day
- minimal requirements to become the part of our team

Job description:
- type of work: part time position
- the place to work: your home office
- territory of work: you area(city)
- salary: 60.000 euro per year + percents of transactions
- principle of work: work with clients/partners getting tasks online

My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?

Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.

I am willing to pay you 10% for every payment receive by you from our clients who makes payment through you. Please note you don't have to be a book keeper to apply for the job.

Kindly get back to me as soon as possible if you are interested in this job offer with your details:

You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.

So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank. So, it looks like the PNA mail servers are either insecure or compromised.

Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!

Friday, 13 August 2010

This is a weird mashup of an FBI scare scam and a lottery scam, spelling out very clearly that it is really an advanced fee fraud. It makes no sense.. why would the FBI be informing you that you had won the lottery in the UK anyway? Bin it.

This is to officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Organization in the United Kingdom. During our investigation we discovered that your e-mail won the Lottery from an online balloting system and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check. Normally, it will take up to 15 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this organization on your behalf that funds are to be drawn from a registered bank within the United States of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Chase Manhattan Bank.

We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Chase Manhattan Bank you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Organization in Washington, DC. According to our records, you are required to pay for the following:

(1) Deposit Fee's (Fee's paid by the organization for the deposit into Chase Manhattan Bank)

The total amount is $349.99 (Three Hundred & Fourty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to have the lottery organization deduct the $349.99 from your lottery winning but the funds have already been deposited at Chase Manhattan Bank and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction. The payment will NOT reflect at the Chase Manhattan Bank with the given transaction code (US8976-003) until you have covered the processing fees needed.

In order to proceed with this transaction, Click Here(ericaclain@gala.net) to contact your claims agent Mrs. Erica Molin .You may be required to call her for verbal verification and e-mail her with the following informations:

FULL NAME:

LOCAL ADDRESS (INCLUDING CITY/STATE/ZIPCODE):

AGE/GENDER/OCCUPATION:

CONTACT PHONE NUMBERS (CELL & HOME):

You will also be required to request details on how to pay up the required $349.99 in order to immediately ship your prize of $850,000.00 USD via Certified Cashier's Check drawn from Chase Manhattan Bank, Also include the following transaction code in order for her to immediately identify this transaction: US8976-003. This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $349.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).

Robert Anderson, Jr.

Special Agent in Charge

NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Erica Molin(ericaclain@gala.net) via contact information provided above and make the required payment of $349.99 to information in which she will provide you.

I don't play World of Warcraft of Starcraft..but lots of people do and Blizzard accounts (used for playing the game online) are often a target for phishers. Why? Well, these accounts can be resold and are worth real money.

This post at the Sunbelt software blog caught my eye.. but knowing that fake WOW / Blizzard sites don't tend to travel alone I did some digging and came up with a whole batch of them on neighbouring IPs.

Saturday, 7 August 2010

I quite enjoy this spammy crap I get from Robert Allen, in all its breathless uselessness, from a company that only rates a D+ from the BBB.

Hello Conrad,

One day we must talk about where you got your mailing list from.

It’s Robert Allen checking in with some MAJOR NEWS for you!

Major news? You've discovered you have some horrible terminal disease that causes you to die through continuous pustulant eruptions? No? Shame.

I am very excited to announce an amazing new program that reveals how anyone can quickly and easily get FREE MONEY from the Government.

What, you want me to become a failed bank?

No technical jargon or complicated procedures, simple, straight forward advice and methods on how to locate the free money that you are entitled to.

Which government is this exactly?

Best of all, you can get your own copy of this hot, new course for free.

Why do I feel that there will be a catch?

Read on … because this is exciting!

This must be a definition of "exciting" that I wasn't previously aware of.

My friend and colleague Rex Hudson just put the finishing touches on his brand new, “FREE MONEY with GRANTS” audio training course, and I’ve convinced him to give you, a free copy of this info packed 4 disc audio library!

How did that go? "Rex, I'd really like to send a free copy of this training course to Conrad!" "Oh Robert, I'm not really sure I want to do that!" "Oh come on Rex, he's a great guy!" "Oh alright then Robert".

Over the course of his long and varied investment career, Rex has held SEC licenses for Stock, Bond, Insurance, Options and Commodities. As an MBA and the VP of Investments for a National Bank he also held a Municipal Bond Principle License and operated as a Registered Investment Advisor. As the investment manager Rex held discretionary investment authority on over $850 Million in assets. The bottom line is Rex knows money!

He's a stockbroker and banker, basically. But now he works for the "Enlightened Wealth Institute" as "Vice President of Training" which is a bit of an interesting career move.

Now you can have a chance to learn from the master – and get his best, proven techniques for getting FREE MONEY from the GOVERNMENT.

I did say he was a banker.

Rex’s FREE MONEY with GRANTS is your one stop source for BILLIONS of dollars that is ready, available, and waiting to be claimed! This easy to listen and easy to follow 4 disc audio program tells you exactly what to do to find your share of this FREE MONEY.

Dollars? Can I have pounds instead?

FREE MONEY with GRANTS audio program contains simple plan for putting
cash in your hands. And this is FREE MONEY THAT YOU NEVER HAVE TOPAY BACK!

Champagne does taste so much better when it has been paid for by the taxpayer.

Find out how to get free money grants from Uncle Sam!
Find out how to get free money grants from private foundations!
Find out how to borrow money with government guarantees!
Discover the huge opportunity in selling to the government!

I don't have an Uncle Sam. Wait, Robert.. you didn't think I was American did you?

These are some of the best kept secrets of our government – and now you will know there are BILLIONS OF DOLLARS sitting, waiting to be claimed. And MILLIONS of people are eligible to receive free money from the government.

Honestly, no.. I don't think these are the best kept secrets of the US Government. I mean, they probably even have leaflets and stuff.

The FREE MONEY WITH GRANTS audio program is your ultimate guide to getting your share of free money from the government.

You can keep shouting FREE MONEY WITH GRANTS all you like but you are still not going to convince me. Actually, I'm starting to get a headache now.

Rex’s “FREE MONEY with GRANTS” quick cash program could easily retail $69.95,
but in true “Nothing Down” fashion, I’ve arranged for you to get this fantastic new 4 CD audio training course for FREE … not even shipping and handling!

Nearly seventy dollars? Well, you can put whatver price on it you like.. it doesn't mean that it will sell. Look at the bidding wars going on for these items.. oh wait, they're not even shifting for 99 cents. And by "nothing down" I guess you mean that I don't have to pay anything NOW for them.. but what about later?

All you have to do is dial toll free 1-888-384-4047 RIGHT NOW and let me know where to ship your course! That’s it … it’s as simple as that!

Please ship it firmly up your own backside.

I am very excited about Rex’s “FREE MONEY with GRANTS” 4 CD audio training
program and I look forward to sending you your FREE COPY!Massive Success,

Wicked!

Robert Allen
P.S. Don’t Wait! Call toll free 1-888-384-4047 RIGHT NOW. This offer is NOT going to last forever. Rex is only allowing us to give away a very limited number of these hot courses. So act now so you don’t miss out! Get your copy today!

I'll pass if it's OK with you.

Please note that product prices and availability are limited time offers and are subject to change. We respect your privacy. To remove yourself from this mailing list, click http://www.ewimail.com/unsubscribe.aspx or reply to this message with “unsubscribe” as the subject line or write us at Enlightened Wealth Institute, LC, 5072 N 300 W Provo, UT 84604

But apparently you don't respect my intelligence by sending me this crap.

Friday, 6 August 2010

Back in May they were called Maximus Hosting Services but I guess it's always embarrassing when you're not number on in Google for your own name.. so now this outfit from Russia appears to be calling itself MAXHOSTING SERVICES. Note that it looks like there are several Russian businesses of a very similar name, presumably most of which are legitimate.

It looks like it is working closely with GlobalNET Bosnia.. which is kind of weird because Russia doesn't exactly have a shortage of dodgy web hosts. GlobalNET operate AS42560 77.78.192.0/18, MAXHOSTING appear to have rented out half of that to give 77.78.224.0/19 i.e. 77.78.224.0 - 77.78.255.255. The other half of the GlobalNET range is mostly legitimate apart from an apparent Stelivo phishing site on 77.78.192.140 called justadultchat.co.uk

Anway, 77.78.224.0/19 is a real sewer consisting of fake job sites, phishing, hacking sites, fake escrow sites, illegal downloads, malware and other nasty stuff. According to ratings from the WOT API it is mostly toxic rubbish, and even the sites with "good" rankings are involved in something illegal.

77.78.224.0/19 is certainly worth blocking, and/or the domains listed below. If you want the IP addresses and the WOT ratings in a handy form then you can download them from here, else there's a list of the currently dodgy domains below:

The spammers seem to be busy today, using an old trick of embedded a spam in a template lifted from a legitimate business. This particular one is from Chase bank in the US, they key "hook" they use to get people to click is:

Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:

òÀâ Best in Class Security Software
òÀâ No hassle automatic renewals makes sure that you will never go unprotected
òÀâ Receive all version updates free of charge
òÀâ Cancel at any time and received a refund for any unused months of protection
òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions

If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.

Thank you again for your business, and being a Best Buy Customer.

Sincerely,

Best Buy Stores, L.P.

ddd

Payload and approach seem to be exactly the same as this one, with a Bredolab dropper. Again, it routes through yummyeyes.ru and you should look for the same log entries of .ru:8080 and /x.html to make sure you are clean.

In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.

If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.

We're seeing a batch of fake emails "from" Evite [info@mailva.evite.com] with the subject "Thanks for planning your event with Evite"

Hi [victim],
Did you and your guests take photos at your event:
Curt's 30th Birthday!?
Click the button below to create an email asking your guests to share their photos.

Or click the button below to upload your own photos.

The link in the email leads to a hacked site (so far beroemdnaakt.net/x.html and www.myadexpert.org/x.html) but these are just intermediate steps, the payload site is at yummyeyes.ru:8080/index.php?pid=10 which then tries to download a poorly detected version of the Bredolab trojan.

Thursday, 5 August 2010

As far as I can tell, there is no such company as "Shifflett Martin Stores", although there may be legitimate companies with a similar name, but this particular job offer is a fraud.

From the insistence that potential employees / victims have a bank account with either Wells Fargo or Wachovia indicates that they will probably be accepting wire transfers from bank accounts where the password has been stolen (because transfers between accounts in the same bank are usually immediate).

I am Ceaser Martin, owner of Shifflett Martin Stores I seek an online virtual assistant to accept payments on my behalf in the United States of America. Requirements **Applicants must have a Wells Fargo or Wachovia bank account*** You are also eligible to apply if you can open a new Wells Fargo or Wachovia account. Great pay (15% of each payment processed), flexible and will not affect your present employment. Interested and meet the requirements? Send Full Names, Address, Direct Telephone Number and email address to gapstarrrss11@aol.com

Originating IP is 80.8.199.189, an open proxy in Réunion of all places.

Wednesday, 4 August 2010

If you work in IT Security then malicious ads are a regular pain in the backside.. and you probably wonder why "reputable" ad networks get talked into running them. This article is possibly the best thing I have read on the problem, written from the ad network's point of view. It seems the Bad Guys do go to extraordinary lengths to try to look genuine, but sometimes the simplest checks can reveal that they are not what they seem.